1

在我的 k8s 集群中,下面列出了一些秘密资源。

$kubectl 获取秘密 -n istio-system
NAME TYPE
default-token-4wwkb kubernetes.io/service-account-token istio-ca-secret istio.io/ca-root
istio-ca-service-account-token-rl4xm kubernetes.io/service-account-token
istio-egress-service-account-token-vbfwf kubernetes.io/service-account-token
istio-ingress-certs kubernetes.io/tls
istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-token istio-mixer-service-account-token-29qbb kubernetes.io/service-account-token istio-pilot-service-account-token-t6kmf kubernetes.io/service-account-token istio.default istio.io/key-and-cert
istio.istio-ca-service-account istio.io/key-and-cert
istio.istio-egress-service-account istio.io/key-and-cert
istio.istio-ingress-service-account istio.io/key-and-cert
istio.istio-mixer-service-account istio.io/key-and-cert
istio.istio-pilot-service-account istio.io/key-and-cert
istio.test-istio-sa istio.io/key-and-cert
test-istio-sa-token-4zm9k kubernetes.io/service-account-token

现在想用rbac控制一个service account test-istio-sa,这样test-istio-sa只能访问kubernetes.io/service-account-token类型的所有secret,比如istio-ca-service- account-token-rl4xm 和 istio-ingress-service-account-token-kwr85。

我创建了一个角色 kube-sa-token-reader,并将其绑定到服务帐户 test-istio-sa。

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: istio-system
  name: kube-sa-token-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets/kubernetes.io/service-account-token"] # grant access to all service account tokens
  verbs: ["get", "watch", "list"]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-kube-sa-token
  namespace: istio-system
subjects:
- kind: ServiceAccount
  name: test-istio-sa
roleRef:
  kind: Role
  name: kube-sa-token-reader
  apiGroup: rbac.authorization.k8s.io

但它似乎没有按预期工作。 $ kubectl auth can-i get secret/kubernetes.io/service-account-token -n istio-system --as system:serviceaccount:istio-system:test-istio-sa

no - Unknown user "system:serviceaccount:istio-system:test-istio-sa"

4

0 回答 0